<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://best.openssf.org/assets/css/style.css">
<link rel="stylesheet" href="checker.css">
<script src="checker.js"></script>
<script src="sql-injection.js"></script>
<link rel="license" href="https://creativecommons.org/licenses/by/4.0/">

<!-- See create_labs.md for how to create your own lab! -->

</head>
<body>
<!-- For GitHub Pages formatting: -->
<div class="container-lg px-3 my-5 markdown-body">
<h1>Lab Exercise sql-injection</h1>
<p>
This is a lab exercise on developing secure software.
For more information, see the <a href="introduction.html" target="_blank">introduction to
the labs</a>.

<p>
<h2>Goal</h2>
<p>
<b>Practice constructing parameterized statements to prevent SQL injection attacks.
</b>

<p>
<h2>Background</h2>
<p>
Parameterized statements are used to prevent SQL injection attacks by separating SQL code from its data inputs. Parameterized statements are SQL queries which utilize place holders instead of directly embedding user inputs into a query. This prevents queries from being injected with malicious code.
<p>
<h2>Task Information</h2>
<p>

<p>
In this lab, you will study and modify code relating to SQL injection attacks. You will answer a couple of questions related to prepared/parameterized statements.

<p>
Use the “hint” and “give up” buttons if necessary.

<p>
<h2>Interactive Lab (<span id="grade"></span>)</h2>
<p>
Looking at the following example code in Java, we can see that this is an
example of vulnerable code. (This example was taken directly from
the <a href="https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md">Secure
Software Development Fundamentals</a> course content.)
Rewrite these statements so this sequence uses a prepared statement
(a kind of parameterized statement).
In the first part, create variable named <tt>pstmt</tt> of type
<tt>PreparedStatement</tt>.
In the second part, use <tt>setString</tt> to set what we're searching for,
and put the results in a variable named <tt>results</tt> with type <tt>ResultSet</tt>.
Use <tt>executeQuery</tt> to execute the query, since in this case we want
a collection of results.

<form id="lab">
<pre><code
> // Prepare to execute a query.
<textarea id="attempt0" rows="4" cols="60" spellcheck="false"
>  String QueryString =
     "select * from authors where lastname = ' " +
     search_lastname + " '; ";
</textarea>
  // Execute the query.
<textarea id="attempt1" rows="3" cols="60" spellcheck="false"
>  rs = statement.executeQuery(QueryString);
</textarea>
</code></pre>
<button type="button" class="hintButton">Hint</button>
<button type="button" class="resetButton">Reset</button>
<button type="button" class="giveUpButton">Give up</button>
</form>
<br><br>
<p>
<i>This lab was developed by Elijah Everett, Jeremiah Howard, and Emily Lovell as part of the
<a href="https://github.com/emmet0r/contributor-catalyst"
>Contributor Catalyst Program</a>, as well as by David A. Wheeler.</i>
<br><br>
<p id="correctStamp" class="small">
<textarea id="debugData" class="displayNone" rows="20" cols="65" readonly>
</textarea>
</div>
</body>
</html>
